Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock

As we see more companies undertake cloud initiatives, deploying new projects into places like Amazon, Google and Azure, Infosec teams become new barriers to progress. We should instead be providing deep insight into services, users, and activities that these companies need, and provide this information to Devs, Ops and Infosec users.

Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock

2.
Introductions
Gene Kim
Founding CTO of Tripwire
Gene Kim is co-author of "The Phoenix Project: A Novel About IT, DevOps, and
Helping Your Business Win", founder and former CTO of Tripwire, Inc., and is hosting
the upcoming DevOps Enterprise Summit.

3.
Introductions
Pete Cheslock
Senior Director of Operations and Support at Threat Stack
Pete Cheslock is the Senior Director of Operations and Support for Threat Stack. He
focuses relentlessly on the uptime of the Cloud Sight service and is passionate about
supporting of the company’s ever growing customer base. Pete is a 15 year veteran
of the technology industry and most recently built out the automation and release
engineering teams at Dyn as well as for the Amazon-Backed cloud archiving
company Sonian.

6.
Gene:
“How in the world did a nice DevOps person like
you end up in the bowels of Infosec? Usually it
works the other way around — the smart Infosec people
ﬂee to saner grounds like DevOps.”

7.
Pete:
“I wasn’t speciﬁcally looking for a job in the Infosec ﬁeld, but
after getting introduced to Threat Stack, it opened my
eyes to a whole new world I felt like I was missing out on.”
“What I saw was…”

8.
“…a convergence of Infosec and DevOps
much like we saw when Dev and Ops teams
needed to fundamentally change their thought
process in order to win.”

9.
“As we see more and more
companies of all sizes
undertake cloud initiatives,
deploying net-new projects into
places like Amazon, Google
and Azure, Infosec teams
become the new barriers to
progress.”

10.
“I see a world where we [Threat Stack] can
provide deep insight into services, users, and
activities that these companies need, and
provide this information to DevOps, Ops and
Infosec users alike.”

11.
“We can then embed this visibility and
monitoring into the workﬂow, allowing
companies to deploy more scalable and
elastic infrastructure.”

12.
“It will become more and more
critical that businesses continually
monitor and analyze
the scope of changes
to their systems.”
“And these monitors should be integrated early.”

13.
Gene:
Here’s a quote from Josh Corman:
“If there’s one message that everyone in Infosec should
know about the DevOps community, it’s this:
DevOps is waiting for Infosec with open arms.
Come on in, the water is awesome.”
“Do you agree with his thesis?”

14.
“It’s been an exciting time as DevOps and the
overall community around that movement has
matured over the past 5 years.”
“Companies are making amazing
organizational changes and fundamentally
shifting how they do business online.”

15.
“I see the same thing when it comes to Infosec
teams and security-minded folks within companies.”
“But at many of these companies, the
Security teams don’t have a seat at the table.
They are getting shot down while the rest of the
organization is making changes at an incredible
rate.”

16.
“So how can we enable Security and Infosec teams
to embrace this new world of continuous deployment
and elastic infrastructure?”

17.
“Much like how we saw for the DevOps world,
it will come down to a mix of culture change
and improved technical applications that
will facilitate the integration of Infosec into
DevOps.”

18.
“Much like how Chef and Puppet enabled
teams to more effectively build and deliver
highly scalable systems.”

19.
“I see Threat Stack poised to deliver the tools
to allow deep insight and visibility into the
applications and services being deployed.”

21.
Pete:
“It looks like enterprises like GE Capital, Macy’s, Target,
and Nordstrom are early adopters of DevOps in the
enterprise; how does Infosec need to change when
more of the Dev to Ops value stream migrates to
DevOps patterns?”

22.
“My belief is that we’re going to see the Infosec
function transform just like QA/Test is transforming.”
“In other words, in high performing DevOps
organizations, you very rarely see a QA department
that is writing and running the tests.”

23.
“Instead, QA is helping to coach Dev on how
to write good test cases and ensures that the
right feedback loops exist so that Dev can
validate that they’re achieving the functional
and non-functions requirements.”

24.
“Infosec is not doing the security scans, nor is it
pestering Dev and Ops to look at their reports.”
“Instead, they are helping to create the automated
tools so that Dev and Ops can get fast and
constant feedback on if the code and environment
are achieving security objectives.”

25.
“My favorite example is the three-year
transformation of the Twitter Infosec function,
which started when @BarackObama was
hacked, resulting in a FTC injunction requiring
that Twitter be secure for the next 15 years.”

26.
“They integrated Infosec into the daily work
of Dev and Ops with the primary mission of not
getting in their way.”

28.
“The main obstacle for DevOps adoption in
large enterprises is Infosec and Compliance,
and you can hardly blame them.”
“For decades, both Dev and Ops seem to
have done everything they could to ﬁx security
defects exposed late in the project lifecycle.”

29.
“But what every Infosec and Compliance practitioner
needs to know is that: DevOps is the best thing in
at least 20 years to happen to our ﬁeld.”

31.
“1. When Dev and Ops embrace DevOps
principles, we fully embrace all the non-functional
requirements, like performance, quality,
reliability, and yes, security.”
“We want to know when we’re writing or operating
code or environments that aren’t secure.”

32.
“2. Because DevOps organizations are
constantly doing deployments, the “ﬁnd to ﬁx”
cycle time is very short.”
“So the days of Dev or Ops taking nine months
to get an urgent change into production are
coming to an end.”

33.
“3. DevOps value streams that sustain tens,
hundreds or even thousands of deployments
per day (i.e. Netﬂix, Etsy, Google), can’t be
done without a ton of eﬀective controls.”
“There are FAR MORE controls (i.e. security
scans, performance testing, deployment
validation) in a DevOps organization than in a
traditional waterfall SDLC.”

35.
Threat Stack is hosting Gene Kim
at our AWS re:Invent booth (#742)
on Wednesday, November 12, 2014 from 11am-12:30pm
for a free book signing of The Phoenix Project.
We look forward to seeing you then!